8/11/2019 Hex Editing for Beginners

1/4

TutorialsHex Editing for BeginnersModification TrackingFile ComparisonHot Tracking File ChangesAccessing Locked Files

Online HelpIntroductionFiles and DrivesInspecting DataEditing DataNavigationSearch and ReplaceToolsComplex Data TypesAdvanced Features

Art iclesNTFS Alternate StreamsLinks, Junctions, ShortcutsNTFS Sparse Files

(Ctrl+D)

Hex Editing: First Steps

Hex-a-What?

The hexadecimal notation is almost universally used in computing - and not without a reason. Thereare sixteen hex digits - 0 to 9, and A to F (which correspond to decimal values 10 to 15), and each hedigit represents exactly four bits. Exactly two hex digits represent a byte, which can have a value fro00 to FF (that is from 0 to 255 decimal). In order to find a hex value of a multi-byte object, you wouldconcatenate its bytes, for example, bytes58 A4 1B FE constitute a four-byte value 58A41BFE (orFE1BA458 if the computer uses the reverse byte ordering).

But why hexadecimal? Can't we just use good old decimal numbers? Well, they would be fine for adecimal computer, but most contemporary computers are binary and work on bits and bytes. A decimdigit represents approximately 3.3 bits, and this makes arithmetic too complicated. Let's assume wehave two bytes with decimal values 243 and 78. What will be the value of the two-byte word? 24378?No, this method works with hexadecimal digits only. To find the decimal value of the word we mustcompute 243*256+78, which equals to 62286. Does not look very obvious, does it? Imagine finding a

value of an eight-byte long variable and you will see why the decimal notation is not the best choice fbinary computers.

Do I really need to know this?

Yes, you should have some understanding of hexadecimal notation; in fact, there is not much else toknow. Hex byte is the only kind of object a computer handles, and hex bytes are used to representanything. For example, a hex byte 50 may represent the capital letter P, the processor command"push eax", the decimal number 80, a color component with 31% brightness, or a zillion of other thin

The obvious question is "How can I tell what does the byte represent?" Well, sometimes you can tellthat easily, sometimes - not that easily, and in many cases you can't tell that at all. It is usually easyrecognize a character string, but in other cases you will have to guess. Fortunately, it is not as bad assounds, and you will quickly pick up a few tricks.

But for now it is enough to understand that 1) any computer data is just an array of hex bytes, and2) a hex editor is a program that shows the true contents of a file, and lets you edit the data younormally can't.

Main Edit Window

It is time to try out our new knowledge and see what hex data looks like. Install FlexHEXif you havendone it yet. Right-click any binary file in the Windows Explorer window and select "Edit with FlexHEX"You will see the binary contents in the FlexHEX main edit window:

You can see four distinct panes marked with different colors. The leftmost one is the Address pane;each number in the pane shows the address of the first byte of the corresponding line. The onlyexception is the line on which the input caret is - it shows the address of the current byte, not the firsone. The addresses are shown as hexadecimal numbers but if you point the mouse cursor to anaddress, the decimal value will appear in the Quick View popup window.

http://www.flexhex.com/docs/articles/sparse-files.phtmlhttp://www.flexhex.com/docs/articles/hard-links.phtmlhttp://www.flexhex.com/download/dl.phphttp://www.flexhex.com/product/http://www.flexhex.com/download/http://www.flexhex.com/order/http://www.flexhex.com/support/http://www.flexhex.com/company/http://www.flexhex.com/download/dl.phphttp://www.flexhex.com/docs/help/advanced/byte_order.phtmlhttp://www.flexhex.com/docs/articles/sparse-files.phtmlhttp://www.flexhex.com/docs/articles/hard-links.phtmlhttp://www.flexhex.com/docs/articles/alternate-streams.phtmlhttp://www.flexhex.com/docs/help/advanced/byte_order.phtmlhttp://www.flexhex.com/docs/help/complex_types/http://www.flexhex.com/docs/help/tools/checksum.phtmlhttp://www.flexhex.com/docs/help/search/http://www.flexhex.com/docs/help/navigation/http://www.flexhex.com/docs/help/editing/http://www.flexhex.com/docs/help/inspecting/http://www.flexhex.com/docs/help/objects/files.phtmlhttp://www.flexhex.com/docs/help/quick_tour/first_glance.phtmlhttp://www.flexhex.com/docs/howtos/locked-files.phtmlhttp://www.flexhex.com/docs/howtos/hot-track.phtmlhttp://www.flexhex.com/docs/howtos/file-comparison.phtmlhttp://www.flexhex.com/docs/howtos/file-map.phtmlhttp://www.flexhex.com/company/http://www.flexhex.com/support/http://www.flexhex.com/order/http://www.flexhex.com/download/http://www.flexhex.com/product/http://www.flexhex.com/

8/11/2019 Hex Editing for Beginners

2/4

The next is the Hex pane, which displays the file contents as an array of hex bytes. The light greenANSI pane shows the file contents as characters, and the rightmost UNICODE pane shows two-byteUNICODE characters.

Note that all three data panes show different representations of the same data. If you change data inany data pane, the other two will change accordingly. You can switch between the panes by press ingthe Tab or Shift-Tab key, or just by pointing the mouse cursor and pressing the left mouse button.

Inspecting Data

Hex numbers may be good for computers, but how can one convert a hex number to a more human-friendly decimal value? Easy! First, select the number e ither with your mouse, or by using the arrowskey while holding down the Shift key. Second, move the mouse cursor to the selected area, andFlexHEX will display all the valid representations in the Quick V iew popup window.

Sometimes there is no valid representation at all. For example, if you select five bytes, there will be Quick View window because FlexHEX knows no object five bytes long. However any 1, 2, 4, 8, or 16byte long field has at least one valid representation. In general, when the mouse cursor changes to tarrow-with-question-mark shape, this means that FlexHEX has something to show you and the QuickView window is ready to appear.

Editing Data

Now that we know the basics let's go straight to hex editing. Start FlexHEX and you will see the main

editing window with an automatically created new empty file. It has zero length but can be extended the light gray boxes mark the positions where you can enter new data. Enter the hex bytes"4D 61 72 79 20" starting from the pos ition 0, where the input caret initially was:

Now press the Tabkey to switch to the green ANSI pane and type in "had a little lamb". It is easy tosee that every byte in the Hex pane corresponds to some character in the ANSI pane. When you entea hex value, the corresponding character appears in the ANSI pane and vice versa.

Don't be afraid to make a mistake - FlexHEX has unlimited Undo/Redo list. If you did something wronjust press C trl-Z to undo the action.

Editing Existing File

A simple but rather typical task is to go to some address and replace some bytes. As an example wewill change the byte string "EB 1F 5F FB" to "01 00 00 00" at the address 52E1C.

The first step is to find the data to be modified. Se lect the Navigation / Go Tocommand or just pressCtrl-G and enter the address:

8/11/2019 Hex Editing for Beginners

3/4

Don't forget to pay attention to the Dec/Hex selector. FlexHEX is smart enough to recognize ahexadecimal number if it contains hex digits A to F, but if the number consists of decimal digits only,make sure you have selected the correct number radix.

Now press the Go Tobutton and you are there:

We have found the data, but before typing in the new values check the Insertion Mode indicator in thstatus bar. If it displays OVERWRITE, the newly entered data will replace the data at the current

position marked by the blinking input caret.

The INSERTmode works differently. The existing data starting from the current position are shiftedbelow, making place for the data you are entering. Note that this will change the position of all dataobjects below the insertion point. Many files get corrupted if their data have been shifted, so be carefand pay attention to the shiftindicator in the status bar.

If the current mode is INSERT, press the Insertkey to switch to the OVERWRITEmode.

Now type in the new hex data:

You may have noticed that a new Modifiedtab has appeared in the Navigationpanel. C lick the tab toopen the pane:

This pane lists all modified areas in the file. Click the area starting or ending address to jump there; tselect the whole area, click the size field.

Changing Typed Values

Sometimes you need to make modification to a typed object, not just to a sequence of hex bytes. WiFlexHEX, it is no more complicated than simple hex editing. Select the object (usually 1, 2, 4, 8, or 16bytes long), right-click and select the Edit Selected Ascommand from the menu:

Select the appropriate representation and enter the new value.

http://www.flexhex.com/docs/help/quick_tour/status_bar.phtmlhttp://www.flexhex.com/docs/help/quick_tour/status_bar.phtml

8/11/2019 Hex Editing for Beginners

4/4

Happy Hex Editing!

Comments? Suggestions? Please feel free to let us know.

Copyright 2007 Inv Softworks LLCAll rights reserved

Home| Product| Download| Order| Support| Documentation| Company

http://www.flexhex.com/company/http://www.flexhex.com/docs/http://www.flexhex.com/support/http://www.flexhex.com/order/http://www.flexhex.com/download/http://www.flexhex.com/product/http://www.flexhex.com/http://www.flexhex.com/company/http://www.flexhex.com/company/contact.phtml